Asymmetric Encryption
Asymmetric algorithms (also sometimes called public-key algorithms) are designed in such a way that the key used for encryption is different from the key used for decryption, as shown in Figure 24-3. The decryption key cannot (at least in any reasonable amount of time) be calculated from the encryption key and vice versa.
Figure 24-3. Asymmetric (Public Key) Encryption
The main feature of asymmetric encryption algorithms is that the encryption key (often called the public key) does not have to be secret; it can be published freely and anyone can use this key to encrypt data. The corresponding decryption key (often called the private key) is known only to a single entity that can decrypt data encrypted with the encryption key. Therefore, when you need to send an encrypted message to someone else, you first obtain the public (encryption) key of the other person and transform the message with it. Only the recipient knows the private (decryption) key and can, therefore, decrypt the message.
Asymmetric algorithms are relatively slow (up to 1000 times slower than symmetric algorithms). Their design is based on computational problems, such as factoring extremely large numbers or computing discrete logarithms of extremely large numbers.
The best-known asymmetric cryptographic algorithms are the Rivest, Shamir, and Adleman (RSA); ElGamal; and elliptic curve algorithms. RSA is recommended because it is widely trusted for its resistance against attacks and well-known internals. Because of their lack of speed, asymmetric encryption algorithms are usually used to protect small quantities of data (such as digital signatures or key exchange). Key exchange allows you to use the slower, more secure asymmetric algorithm to protect the exchange of a faster symmetric key algorithm over a public network, such as the Internet.
Key management tends to be simpler compared to symmetric (secret key) algorithms. As stated earlier, with asymmetric encryption, each device has a pair of keys (public and private). The public key of each device has to be publicly available (known by all other devices) to allow a full mesh of encrypted communication, whereas with symmetric encryption different symmetric keys have to be safely distributed for each combination of two peers. Asymmetric keys are usually used for a longer time (months to years).
Symmetric Encryption Example: RSA
Ronald L. Rivest, Adi Shamir, and Leonard M Adleman invented the RSA algorithm in 1977. It was a patented public-key algorithm, and its patent expired in September 2000, putting the algorithm in the public domain. Of all the public-key algorithms proposed over the years, RSA is still the most strongly preferred.
RSA has withstood years of extensive cryptoanalysis, and although analysis has neither proven nor disproven the security of the RSA algorithm, it does suggest a justifiable confidence. The security of RSA is based on the difficulty of factoring very large numbers, that is, breaking them into multiplicative factors. If an easy method of factoring these large numbers were discovered, the effectiveness of RSA would be destroyed (and, as a side effect, mathematics might take a huge leap). RSA keys are usually 1024 to 2048 bits long.
RSA, like all asymmetric encryption algorithms, can be used in two different ways:
- Confidentiality The sender encrypts the data with the public key of the receiver. This guarantees that only the receiver can decrypt the data.
- Authenticity of digital signatures The sender uses its private key to sign (encrypt) the data. Such a signature can be verified by everybody because only the public key is needed to verify (decrypt) the signature.
RSA is used for device authentication (IP phone to Cisco CallManager and vice versa) in Cisco IP telephony.